After this discussion Code.eval_something I was looking for some info and found this thesis, imo it contains valuable ideas and is readable for someone who did not study informatics: https://www.cas.mcmaster.ca/~carette/publications/FedorenkoThesis.pdf . Some quotes:
Most input preprocessing techniques for online applications were developed at the
beginning of this century, and in spite of their rapid advancement, there are still
some issues that validation frameworks have in common. In our opinion, one of
the root problems is their focus on initial experience of use of constructs rather
than security and code maintenance characteristics. While adding a validation
rule right to a view and then binding it to a model or business layer is not difficult
to implement, in the long term perspective, this approach does not scale well.
In such a case, changes in requirements demand modification on several layers,
and since request validation is usually splashed all over the codebase, in order to
grasp how a certain parameter is validated one would need to construct the whole
picture from different places. This introduces notable accidental complexity and is
not acceptable from the code support point of view.
All of the existing solutions that were studied include some set of validation
utility classes that can be utilized for data preprocessing. However, most of them
provide only basic validation/normalization rules and generally do not include a
toolkit that is sufficient enough for rapid application development. Due to lack of
uniformity, developers often need to write boilerplate code and validators which
might not take into account all traits or have security holes.
Most validation frameworks focus only on processing of web form input and do
not support the same interface for a URL path, regular GET/POST parameters,
cookies, and headers which can be also part of the input. Finally, we were not
able to find a solution that, besides its main validation capabilities, facilitates best
practices in usability of data input. As they are quite crucial for providing a good
user experience, ignoring them can result in a direct revenue loss.
one might be tempted to use the client
side language on the server side. For example, node.js is a JavaScript based
framework, that, amongst other things, allows sharing part of the application code
on both sides so most validation rules need not be written twice. However, as
JavaScript was designed for handling HTML pages and not as a general purpose
programming language, it lacks some crucial features which makes development
of enterprise applications less convenient.
